As I understand it, my client should use the ClientLoginModule to collect username/password, and then the server should be configured to use a login module that will read the username/password passed from the client.

I believe that everything is working on the client end, as after login a Subject has been created with a Principal named for my username, and SecurityAssociation.getPrincipal() and SecurityAssocation.getCredential() have been set (which is what I expect from poking around in the ClientLoginModule code).

On the server end, my custom login module is being called. This passes a NameCallback to the provided CallbackHandler, but the name does not get set to the username I provided at the client end.

I guess my expectation is that the CallbackHandler provided by the container would have the principal and credential from the client passed by whatever mechanism JBoss uses.

Attaching a debugger, the CallbackHandler appears to be a SecurityAssociationHandler (wrapped by a SecureCallbackHandler), which should set the name of a NameCallback to the name of the Principal the SecurityAssociationHandler is initialised. However, both the Principal and the Credential are null, so nothing appears to have been propergated from the client.

This is part of the client code. Does it need to be doing something different?

When I turned on client logging as you suggested it became clear that I was doing something unbelivably stupid in my client - logging out in my factory class before any of the business methods were called.